MEDIUM
Source
Trivy/CSPM
CSPM ID
kms-key-rotation
ID
AVD-AWS-0065

A KMS key is not configured to auto-rotate.

You should configure your KMS keys to auto rotate to maintain security and defend against compromise.

Impact

Long life KMS keys increase the attack surface when compromised

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for KMS. Step
  3. Scroll down the left navigation panel and choose “Customer Managed Keys” under “Key Management Service”.Step
  4. Select the key that needs to be verified by clicking on the alias of the key under “Alias”.Step
  5. Scroll down the “Customer managed keys” page and click on the “Key rotation” and check the “Automatically rotate this CMK every year” status. If it’s not checked then the selected “KMS key” is not set to rotate on a regular schedule.Step
  6. Repeat steps number 2 - 5 to verify other “KMS keys” in the selected AWS region.
  7. Navigate to “Customer Managed Keys” under “Key Management Service” and select the “KMS key” that needs to modify to enable yearly rotation for the KMS key.Step
  8. Scroll down the “Customer managed keys” page and click on the “Key rotation” tab. Enable “Automatically rotate this CMK every year” checkbox and click on the “Save” button to make the necessary changes.Step
  9. Repeat steps number 7 - 8 to enable yearly rotation for the “KMS key”.

Configure KMS key to auto rotate

1
2
3
resource "aws_kms_key" "good_example" {
  enable_key_rotation = true
}